Technology has been developing day by day; it can be used for both good and evil. Now a days organisations are facing severe problems because of threats. Basically people think threats will be from outside. A recent study (Bill Brenner - CISCO 2011) stated that outside threats like computer hijack, social engineering and software flaws are used to attack network, but the 2011 CyberSecurity Watch Survey specified that malicious insider threats are the main cause for greater concern than outsider and these are also more financially costly. Insider threats are becoming more sophisticated because of easily available rootkits or hacker tools. These threats are not only costly but also very tough to quantify and recover because insider has capability to bypass the technical and physical security measures of the organization.
Insider Threats:
Insider Threat is any one, who may be a current or former employee, network connected user, IT provider, or contractor who deliberately exceeded or misused the access in a way that maliciously affect the confidentiality, integrity, or availability of the organization's critical data, information systems and network.
Insider may also target on the security of organisation's systems, data and business operations. He performs malicious activities like sabotage, purposefully leaking confidential data or stealing data. Threats coming from outside are more but damage is comparatively less than insider because insiders knew the organization risks. Insider is also aware of technical flaws, procedures and policies of organization. Employee fraud and IT sabotage are the main cases for insider threats. These threats are mainly caused because of grudge, insufficient increase of salary and bonuses, anger, revenge and compensation.
According to Schultz (2002) says "an insider attack can be defined as the intentional misuse of computer systems by users who are authorized to access those systems and networks".
According to Einwechter (2002) explains "an internal attacker as someone entrusted with authorized access who instead of fulfilling assigned responsibilities, manipulates access to a system to exploit it (e.g., to damage it or steal sensitive information)".
Examples:
A network administration was jailed because of destroying his previous employer's website. On June 29th 2010, Albert-El deliberately damaged a protected computer without proper authorization. Previously he was working as an Information Technology director in telecommunication area of Transmarx LLC. He connected to network from his personal computer and started deleting the critical data of Tranmarx. Finally he deleted 1000 important files from website. It was a loss of 6000$ to company.
On 11th Jan 2011, Douglas James Duchak was sent to prison for 2 years because of hacking a TSA computer. Judge fined him $60,587 for repairs. On 23rd Oct 2009, when Duchak was working in TSA, he intentionally damaged a computer by introducing logical bomb into the system. Actually that system handles critical data like comparing air travellers against arrest warrants. Later it was identified by Contractors and then he was terminated from job.
Main Infrastructure sectors that are affected by insiders are Information and Telecommunications, Banking and finance, Government, Defence industrial base, Food, Postal and Shipping, Internet service providers, Newspapers, Technical consultancies and Transportation. Technical department employees are mostly causing insider threats in their specific work for which they plan in advance. Insiders always try to conceal their identities and activities. Insider might commit threats from both within the organization and remote place. Insiders are using sophisticated tools, methods, spoofing, flooding, malicious code (viruses, scripts, logical bombs), toolkits, scanning, probing, compromising accounts or backdoor accounts.
Source: http://www.cert.org/archive/pdf/RSA-CERT-InsiderThreat.pdf
The basic problems with insiders are maliciousness, carelessness, disdain or ignoring of security policies and practices. In order to reduce these problems the affected sectors must establish Criticality (what are critical assets), Protect information assets (identify and reduce vulnerabilities, limit assets sharing, and employ security policies), Trustworthiness (assurance in trusting people, programs, practices and systems), Build-up management practices and security principles, Notice problems and Fix problems.
Rasmussen (2011) says "According to ACFE, U.S. organizations lose an estimated $652 billion to fraud annually. Unfortunately, insider threat is not limited to fraud. There is also sabotage, negligence, human error and exploitation by outsiders to consider." So organisations must need a control over the insider threats. Insider risks can be managed by following controls
Categorizing and Impact investigation: Critical data must be categorized by Integrity, Confidentiality and Availability. According to the classified data system, boundaries must be identified such as network, people, systems, data flow and printed data.
Critical data
Integrity
Confidentiality
Availability
Financial Issues
High
high
high
Business particulars
Medium
high
medium
Human Resources
Medium
high
low
Firewalls, Electronic building access and Intrusion detection systems can defend over external threats but it is contention that how can the insider threats be measured? It can be measured and prevented by 1)Layered defence strategy consisting of policies and procedures, 2)Close attention must be paid in critical data like financial policies and procedures, technical environment and organization culture, 3)Managers must be more concentrated on the business process and information technology of organization, 4)Regular risk assessment within organization to protect assets, 5)Security awareness program, 6)Effective separation of duties and least privileges, 7)Actively defend against logical bombs and malicious code, 8)Quick attention for distrustful and disruptive behaviours, 9)Immediately deactivating the network access of employee who was terminated from job, 10)Secure backup and recovery process, 11)Conduct background checks and considering the system logs, 12)Implement strong passwords and account management policies and procedures, 13)Implementation of data loss prevention by internal monitoring tools and vulnerability management systems, 14)Phone records, 15)Failed logics, 16)Forensic examination of effect system or network, 17)File access logs, 18)email logs, 19) email logs, 20)Remote access logs, 21)Database/application logs, 22)System logs and system file change logs, 23)Deletion and modification of records, 24) security audits and 25)host based firewall and antivirus
Examples for measurements of threats:
In a recent survey Framingham (2010) describes that 23% of insider threats is due to unauthorized access to system or network. Virus, worms, spyware and theft are around 15%. Next financial fraud, Intentional access of private data and sabotage are around 10%. Finally email spam, bot-net, phishing and few more are also considerable around 5%. How these threats are caused in organizations? They are because of laptops (45%), USB devices (42%), downloaded data to home devices (38%), emails (34%), shared data (33%), stolen printed data (30%), compromising account (28%), remote access (25%), mobiles (20%), social engineering (17%) and rest of them like password sniffer, backdoors and hacking tools are around (10%), as a final point malicious code and logical bomb as 5% and 3% respectively.
Basically these are some of the losses face by organization by facing insider threats operational loss 25%, financial loss 13%, loss of reputation and intellectual property 15% respectively and loss of critical data 16%.
A recent Cyber-Ark survey found that 71% employees copy confidential office work to their emails, mobile devices and laptops to their home. When those employees move to other employment place they might use the same piece of work, so companies must make sure to remove confidential data from their devices and must also stop access over company's internal mail and database. Because the same piece of work might be reused at next place of employment.
The best method to reduce Insider threats is by bringing cybersecurity alertness among employees and also by using internal checking tools like web filtering, intrusion and extrusion detection, data loss prevention, access management, vulnerability management, monitoring log files, carefully checking the results of background checks, layer defence against remote attacks and strongly defending against the malicious data.
Insider Characteristics:
Dawn (2008) believes that insiders denote age between 17-58 and predominantly men. Around 40% of insiders had been already under arrest. They are characterized as a variety of racial and ethnic backgrounds. They were single when threat was happened that they have not yet married. Most of them are full time employees. They try to change the system log and modify it to implicate some other action. They use others terminal to exploit insider threats by creating backdoors and unauthorized access. They then disable anti-virus on their system and run the malicious code or virus.
Attributes like Risk, Motivation, Knowledge, Access, Privileges and Skills of insider are combined to create an insider threats. These threats are very complex, real, hard to notice, challenging and appalling. The organizations take a calm and quiet methodology to reduce opposing effects like publishing the occurrence. Human problems can't be solved by technical solutions in such cases there is a need to develop some security metrics which can extremely minimize threats and vulnerability of the information system.
Risk: A successful attack is nothing but an organization's failure. It is considered as a defeat to the organization when the harmful insider tries to attack it. It is 100% risk oriented to the system when insider provides a threat to it as the useful information is being captured by some other. The organization has to be very careful in taking necessary security measures in order not to get attacked by the intruder as he might attack the system by being either autonomous or by taking other trusted parties help.
Motivation: The insider gets motivated financially from the other sources when he performs an attack on the system that contains information. When an important system is disrupted by the insider, he is appreciated and encouraged with huge amounts. So, motivation becomes a major factor for him to attack the system.
Knowledge: As insider is responsible for many of the threats in the network, he does it by having the extreme knowledge on both the target and the system. He possesses in gathering the detailed information required for a particular attack. He successfully achieves the threat by having command on the entire system that he wants to attack.
Access: In some of the cases, insider gets an unfettered access to many parts of the system. He achieves this by taking the total system under his control. Then he tries to attack the target from system perimeter defence. It becomes simpler and easier for him now to attack the system as he got access on almost all the parts of the system.
Privileges: Insiders can attack the system very easily as they do not face any problems with the user privileges. They first try to check if the user has the access over the system without any credentials. If he finds the system to be credential free, he directly gets access over the system. In case he finds the system is locked with user's access, he tries to take administrator's help in getting over the access to the system. Then he can be able to mount an attack. So, administrator has to be very careful in not providing the user's accessibility credentials to the insider.
Skills: The insider attacks the system with all the skills that he achieves before targeting it. In spite of being new to achieve a particular target, he successfully results in attacking it with all the skills and the memory that he has got.
Information Security Metrics:
Shirley (2006) helps in understanding of what the metrics are by explaining the difference between metrics and measurements. Measurements provide "single-point-in-time" views of specific or discrete factors. Metrics are resulted by matching two or more predetermined measurements taken over a period. Measurements are produced by counting and metrics are produced by analysis. Finally measurements are objective raw data but metrics are subjective or objective human interpretations of specific data. Good metrics are SMART i.e. "Specific, Measureable, Attainable, Repeatable and Time dependent". Metrics are effective tools for security managers to raise the security awareness in organization and to identify risks. The main uses of information security matrices are Strategic support, Quality assurance and Tactical oversight.
Conclusion:
